Scribd
Upload
405 views

Policy Based Routing On Fortigate Firewall

The document discusses configuring policy-based routing on Fortigate firewalls. It explains that policy-based routing allows traffic to be routed based on its source network or host, rather than just its destination. It provides an example scenario where the office network's traffic would be routed over the DSL line while all other traffic uses the leased line. The key steps to configure this on Fortigate are: 1) create a new policy routing entry, 2) specify the incoming interface, source network, outgoing interface and next-hop gateway for the office network traffic, and 3) verify it is now routed correctly using the DSL line by tracing routes from the office network.

Uploaded by

dan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
405 views

Policy Based Routing On Fortigate Firewall

The document discusses configuring policy-based routing on Fortigate firewalls. It explains that policy-based routing allows traffic to be routed based on its source network or host, rather than just its destination. It provides an example scenario where the office network's traffic would be routed over the DSL line while all other traffic uses the leased line. The key steps to configure this on Fortigate are: 1) create a new policy routing entry, 2) specify the incoming interface, source network, outgoing interface and next-hop gateway for the office network traffic, and 3) verify it is now routed correctly using the DSL line by tracing routes from the office network.

Uploaded by

dan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Articles from Plain Tutorials

Policy-based Routing on Fortigate Firewall


2012- 10- 24 11:10:32 Hao Nguyen

As a f irewall, Fort igat e must know which next -hop t o send t he t raf f ic t o. T he
rout ing inf ormat ion is maint ained by rout ing t ables in a Fort igat e box.
Basically, rout ing t able indicat es which int erf ace and next -hop IP address t o
redirect t he t raf f ic t o based on dest inat ion host or net work. As said, rout ing
t able sat isf ies you in case your rout ing is based on dest inat ion. But how about
rout ing is based on source host or net work? T he answer is t o use Policy-
based Routing. T his t ut orial is t o show you how t o conf igure Policy-based
Rout ing on Fort igat e. I will have anot her art icle about conf iguring policy-based
rout ing on a Cisco rout er. T o conf igure Policy-based Rout ing on Fort igat e, you
must know t his inf ormat ion: source net work/host (incoming int erf ace),
dest inat ion net work/host (out going int erf ace), and t he t ypes of t raf f ic t hat will
t rigger t he policy. For example, in t he f ollowing diagram, I would like t o rout e
my Of f ice net work 192.168.2.0/24 t o use t he DSL line, and t he rest of net work
t o use leased-line. On Fort igat e, I will have def ault rout e t o point t o t he
leased-line rout er, where every t raf f ic is redirect ed t o, including t he t raf f ic
generat ed by Of f ice net work. Moreover, I need t o conf igure an ent ry wit hin
Policy-based rout ing t o specif ically redirect Of f ice net work t o use DSL line.

Configuring Policy-based Routing on


Fortigate
Login t o Fort igat e under an administ rat ive account
Click Router on t he lef t side menu, select Policy Routing
On t he t op of t he right pane, click Create New t o creat e a new policy
When t he new policy conf igurat ion dialogue appears, ent er t he f ollowing
inf ormat ion

Protocol - Leave it as def ault . T his number is f ound in t he IP packet header,


or ref erence t o RFC 5237. T his number ranges f rom 0 t o 255. Incoming
Interf ace - T he int erf ace where t raf f ic is coming f rom. In t he above diagram,
t he t raf f ic comes f rom Port 10. Source Address/Mask - Source net work of
t he t raf f ic. In t his case, my source net work is t he Of f ice net work 192.168.2.0/24
Destination/Mask - Dest inat ion net work of t he t raf f ic. Since I want all t raf f ic
f rom Of f ice net work (t o everywhere) is rout ed t hrough DSL line; t heref ore, I
will leave Dest inat ion/Mask as def ault f or everyt hing. Destination Ports -
T raf f ic t ypes def ined by port s. I will leave it as def ault because I want all
t raf f ic are rout ed by t his policy. T ype of Service - Leave it as def ault
set t ings. Outgoing Interf ace - T raf f ic will exit using which port . In t his case,
my out going int erf ace is Port 6. Gateway Address - Next -hop IP. In t his case,
my next -hop is 192.168.5.254, which is t he int ernal IP address of t he DSL
rout er.

Click OK when everyt hing is f illed.

Alright , it 's done. Now, jump on any comput er in t he Of f ice net work and do a
tracert command t o 4.2.2.2, you should see t he t raf f ic is coming out using t he
DSL line. [st ext box id="grey"] C:\>tracert -d 4.2.2.2 T racing route to 4.2.2.2
over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.2.254 2 <1 ms <1
ms <1 ms 192.168.100.254 3 1 ms <1 ms <1 ms 192.168.5.254 4 1 ms 1 ms 1
ms 123.249.57.49 ^C C:\> [/st ext box] [st ext box id="inf o" capt ion="Load
balancing"]By using Policy-based rout ing, you could load balance your net work
t raf f ic by spreading it t o mult iple connect ions.[/st ext box]

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy